This guide is a step by step guide for upgrading from Lobby Auto Admit (version 1) to Lobby Auto Admit (version 2)

Performing the below actions makes a permanent configuration change to your Synergy SKY deployment. Read through the entire guide before starting

Pre-requisites

Before deploying the Lobby auto admit feature, please gather the correct admin roles and prepare the following prerequisites to ensure secure authentication and a smooth rollout.

1 - Microsoft Entra Admin with the minimum required roles:

• User Administrator
• Authentication Policy Administrator
• Conditional Access Administrator
• Privileged Authentication Administrator

Please Note - These roles are only required during initial configuration or policy changes. Day-to-day operation of authenticated rooms does not require ongoing elevated administrative access.

2 - Account with Microsoft Teams User License. (The Lobby Auto Admit user)

• Verified User Principle Name (UPN)
• Microsoft Teams license

3 - SSH Access to the Synergy SKY Management Suite

• The ability to run CLI scripts

For Federated Identity / Microsoft federated domain

As the Lobby auto admit feature relies on certification based authentication, and identity authentication through Microsoft Entra, it is important that the account for the Lobby Auto Admit user is not behind a federated identity. If your organization are using a third party identity provider, we suggest to move this account to username@company.onmicrosoft.com

Configuration

Microsoft Entra Configuration

This configuration leverages Microsoft Entra Certificate-Based Authentication (CBA), a native Microsoft authentication mechanism designed for secure, non-interactive and shared device scenarios.

For reference, Microsoft’s official documentation on certificate-based authentication can be found here:
https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-certificate-based-authentication

To enable the Lobby auto admit feature, you will complete a short, structured configuration process that establishes a trusted identity for the Lobby Auto Admit user, utilizing a certificate based authentication in Microsoft Entra.

The Entra configuration is completed in four stages:

1. Assign a teams license to the associated resource
2. [Optional] Place the Lobby Auto Admit user into a security group for policy targeting
3. Create a Public Key Infrastructure (PKI)
4. Enable certificate-based authentication for the Lobby Auto Admit user

License

The resource requires a MS Teams license. A new user should be utilized for this feature if this is your first time configuring Lobby auto admit.

Group [Optional]

In this step, you will create a Microsoft Entra ID group that explicitly defines that your Lobby Auto Admit user is allowed to authenticate using a certificate. This group will later be referenced by Certificate-Based Authentication (CBA) and Conditional Access policies.

To create a new security group and add the previously created resource to this group, navigate to the interface as illustrated below "Microsoft Entra admin center  -  Groups. -  All groups. -  New group"

Create a Public Key Infrastructure (PKI)

In Microsoft Entra, navigate to Identity Secure Score → Public key infrastructure (Preview) → Create PKI. 

Naming is at customer discretion.

Next, Navigate to the PKI that was just created and press "Add certificate authority".

Generation of the Root Certificate

In order to do this, you will need access to the command line interface (CLI) of your Synergy SKY Management SUITE server.

Navigate to */synergysky_suite/bin

* This depends on where you originally installed your software.

This script performs changes to both your Synergy SKY Management configuration, as well as a configuration change to your Synergy SKY Connect tenant. These changes can not be reverted, and the rest of this guide must be completed.

./updateLobbyAutoAdmit.sh --upn <UPN>

Add a certificate authority 

Upload the root CA certificate generated by the script above.

Enable certificate-based authentication for the group

To enable certificate-based authentication, open Microsoft Entra ID, then navigate to "Authentication methods  -  Policies  -  Certificate-based authentication.

Assign the group created earlier to this policy, then click Configure to proceed.

Add a rule for Authentication binding, select your root certificate and make sure its set to multi-factor and low affinity binding.

Next, define a certificate authority scoping rule that scopes the certificate authority to the group created earlier. This step controls which resources are permitted to authenticate using certificates.

Synergy SKY Configuration

When the process has been finished to this point, the last step is to restart the container so that the new configuration can be applied and the new version of the service can begin running.

To check the name of your container and that you are using the correct user:

podman ps

After this check has been successfully performed*:

Run the following:

podman restart synergysky_suite

* If your containers are not listed, it is possible they were installed as a different user

Adding/removing devices

If you add or remove devices in your Configuration tool after this feature has been configured. You must re-run the update script that you ran at the top of this article. 

Note: It is not required to provide the UPN when updating.

Navigate to */synergysky_suite/bin

* This depends on where you originally installed your software.

./updateLobbyAutoAdmit.sh